Releases: bestpractical/rt
Releases · bestpractical/rt
rt-5.0.6
RT 5.0.6 -- 2024-05-06
RT 5.0.6 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, there is one new configuration option
that provides new strict browser caching. See below for details.
https://download.bestpractical.com/pub/rt/release/rt-5.0.6.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.6.tar.gz.asc
SHA-256 sums
b556bedd2b4a356ec9f54eb673ff250ae9100347a04d11e34637e3fdd3efdddb rt-5.0.6.tar.gz
783d633f62efaff18fc352c6ccbfa2f9f58408eb22e820885e1ed517a2ba8978 rt-5.0.6.tar.gz.asc
Strict Browser Cache Configuration Option
CVE-2024-3262 describes previously viewed pages being stored in the
browser cache, which is the typical default behavior of most browsers to
enable the "back" button. Someone who gains access to a host computer could
potentially view ticket data using the back button, even after logging out
of RT. The CVE specifically references RT version 4.4.1, but this behavior
is present in most browsers viewing all versions of RT before 5.0.6.
RT 5.0.6 adds a new configuration option, $WebStrictBrowserCache, which
instructs the browser not to cache page content from RT. If you run RT,
including RTIR, with highly sensitive ticket data, you can enable this new
option to prevent browser caching. The default is still disabled, to
allow for normal browser functionality, so you need to enable this option
to run with the new feature.
General user features
- Support to hide empty custom roles on ticket display page
- Support to explicitly bind Business Hours for CustomDateRanges
- Distinguish business hours by adding related css classes in search chart table
- Process ticket owner updates before message updates
- Prevent double-clicking from submitting forms multiple times
- Open results from chart table in new tab
- Create UI for adjusting dashboard column width
- Load owner dropdown via AJAX for inline edit on list to speed up page load
- Multiple updates to provide autocomplete for asset links and to
improve other linking autocomplete (based on code from gibus, thanks!) - Set filename of attachments when it's absent for Outlook
- Escape one-time checkbox name in case it contains special regex characters
- Provide initial support for charts with transaction searches
- Fix Create Linked Ticket modal on Self Service Asset page
- Move asset widget to right column on self service ticket
- Support inline edit for assets
- On search filter, use a wider modal for Created column just like LastUpdated
- Support URL shortener for links in search pagination
- Add initial support for charts with assets
- Add search filter support to assets
- On charts, increase "Group By" rows to 5 to group by 2 more fields
- Fix ticket/attachment links on SelfService transaction display page
- Remove the empty option from multiple-value select custom fields
- Load the first catalog current user can create assets in on asset create page
- Submit form when catalog changes on asset simple search page
- Improve styling for self service article search
- Make header in search result TSV more consistent with the one in web UI
- Do not use Inter font for monospace so pre tags render correctly in ticket history
- Fix "Update" operation for article saved searches
- Add option to find disabled articles in search
- Support to sort/limit axis labels in search charts
- On SMIME decrypt, try next address if current certificate does not match
- Automatically hide inline edit links/buttons if there are no fields to edit
- Allow one-time email addresses to wrap, preventing overlap with long addresses
- Hide inline edit by default for asset "Dates" that lacks grouped custom fields
- Sync checkboxes before deciding to check/uncheck TxnSendMailToAll
Documentation
- Document restricting access to REST 1.0 mail-gateway
- Update POD with Region example
- Document WebSecureCookies in README
- Fix spelling in documentation (thanks Andrew!)
- Add date search documentation
- Update the outdated config name $InlineDashboardCSS in docs
- Fix internal pod links in docs
- Switch the README to Markdown and improve layout on GitHub
- Increase client_max_body_size to 100M in Nginx config example
- Correct POD headers for CustomField methods (thanks nreiling!)
- Dashboards are now in the Reports menu, not Home
- Remove unresolved link to the configure script
- Link AutoAddWatchers to metacpan and not RT docs
Administration
- Avoid creating duplicated custom fields from initialdata
- Clear all RT crypt headers from incoming email before processing
- Add region to Amazon::S3 params
- Load RT size only on demand to speed up configuration page load
- Support custom labels for ValidateCustomFields
- Hide search and bulk update links on My Assets in self service
- Set id as the PRIMARY KEY of AttachmentsIndex for Pg
- Fix Enable checkbox behavior on Scrip Creation
- Add $WebStrictBrowserCache option to disable browser cache
- Add option to set number of rows in dashboard subscriptions
- Fix shredder boolean argument inputs
- Add StatementLog support for REST2
- Rewrite dashboard emailer to use the CLI interface
- Clean up lifecycles on save when possible
- Trim any leading and trailing spaces from name on lifecycle create
- Support to delete lifecycles
- Show lifecycle warnings to admins who are accessing lifecycle pages
- Support to update maps of a lifecycle via JSON on Advanced page
- In Lifecycle admin, add links to help map statuses that have the same name
- Add mysql5/MariaDB db types to install old DBD::mysql version
- Don't add Unlimited automatically in Rows per page
- Make rt-setup-fulltext-index generally work on Oracle 23c
- Document the workaround of the grant error of CTXSYS.CTX_DDL on Oracle 23c
Internals
- Limit query to active/inactive tickets in QueueList based on passed in @Statuses
- Test business hour css classes in search chart table
- Update failed tests as now we skip duplicated custom fields from initialdata
- Sanitize non-crypt headers used in RT internally from incoming email
- Return mail processing details only in DevelMode
- Update tests as RT-Send-Cc is cleared now
- Support QuickCreate to pass arguments to redirect URL after ticket creation
- Add AfterUpdate callback to group member admin
- Add CF validation to multiple non-ticket admin pages
- Enable devel mode for mailgate tests that depend on detailed output
- Allow callback to add user css class (thanks elacour!)
- Add callbacks to modify custom field updates
- Set next_page and prev_page in REST 2 without leaking any info
- Set to the last page in REST 2 if the given page exceeds it
- Exclude EmailRecord txns if current user can not see them
- Tweak rights check for transactions of a single ticket
- Cache ticket rights for atomic changes
- Pass Graph Type to EditSearches
- Remove id from search save args
- Skip search menu process for ticket graph searches
- Avoid duplicates of TicketType/ObjectType criteria for txn searches
- Make sure both prefix and suffix of spaces are removed from parsed searches
- Test alternative syntaxes for whole day searches
- Refactor chart code to avoid hard coded class and group by
- Refactor report code mainly to move more general part to one level up
- Support to calculate TimeTaken in transaction search charts
- Use base64 encoding for content larger than 100KB
- Use role Name/GroupType in case corresponding role groups do not exist yet
- Take care of SelfService when building asset action menu for "Assets" widget
- Switch to "Create Linked Ticket" modal in "Assets" widget on ticket display page
- Internal support to search/sort cf values numerically
- Support to calculate numeric custom fields in search charts
- Limit lookup type for custom roles in reports
- Update to newest test docker image
- Abstract procedures to get queue-specific custom fields and roles
- Fix typo: selectpicker is not for text inputs
- Make sure inline edit is disabled for unprivileged users
- Move /Elements/SearchFilter to /Search/Elements/FilterTickets
- Convert other Mason templates to new headers template
- Remove the duplicate id definition in the input
- Fix typo, callback line should be parsed as Perl
- Exclude radio and checkbox inputs from duplicate check for inline edit
- Pass RT_TEST_DISABLE_CONFIG_CACHE to fcigd/mod_perl configs
- Make sure BaseQuery is unset if it is equal to Query
- Move a few more general code from RT::Report::Tickets to RT::Report
- Log about the inaccurate chart data if UseSQLForACLChecks is disabled
- Update the license tagger to know how to handle markdown
- Drop code that never runs in CollectionList
- Support to group by Name/Description for asset charts
- Include principal ids or passed values in error logs
- Add ActionsMenu callback to ShowAssets for tickets
- No need to search links if the record does not support links
- Add TotalTimeWorked to REST2 ticket response data
- Quiet undefined warnings when sending rt-crontool email
- Make RT::User::OwnGroups() optionally recursive
- Add Initial callback for PreviewInSearch
- Dynamically get target element from the display element for checkbox cfs
- Support indeterminate state for boolean(checkbox) cfs
- Ignore HTML CF helper inputs(Bulk-Add-CustomField-...-ValuesType) on bulk update
- Test HTML custom fields on bulk update page
- Fixing localisation of Reports menu and Bulk page (thanks PPetky!)
- Fix the regex that identifies if the item is search term for autocomplete
- Add callbacks to dashboard portlet rendering
- Split dashboard email subject to a separate method
- Update tests for the updated header in TSV output
- Document TSV header changes in UPGRADING
- Do not merge old values for hash configs in database
- Test lifecycle deletions
- Add protective co...
rt-5.0.5
RT 5.0.5 -- 2023-10-19
RT 5.0.5 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, there are several important
security updates provided in this release. See below for details.
https://download.bestpractical.com/pub/rt/release/rt-5.0.5.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.5.tar.gz.asc
SHA-256 sums
90f845daaa436198c334b6e9cf5afb1df9f4445dcc165d0bcae35de9eb9be8ef rt-5.0.5.tar.gz
0c6f256434ae9d18e08e5267ae0dd6af817378c48a01e9bdc49a7cadbe43c47a rt-5.0.5.tar.gz.asc
Security
The following security issues are fixed in this release. Thanks to
Tom Wolters of Chapter8 and the National Cyber Security Centre in
The Netherlands for reporting the the first two findings.
-
RT is vulnerable to accepting unvalidated RT email headers in
incoming email and the mail-gateway REST interface. This vulnerability
is assigned CVE-2023-41259. -
RT is vulnerable to information leakage via response messages returned
from requests sent via the mail-gateway REST interface. This vulnerability
is assigned CVE-2023-41260.
Related to the above, in addition to upgrading to this new version, access
to the mail-gateway REST endpoint can, and in most cases should, be restricted
to only the RT server itself (localhost). This access restriction can typically
be applied in the web server running with your RT (Apache or other). This
configuration is more clearly documented as part of this release and we recommend
all RT admins review your web server configuration and consider restricting access
to this mail-gateway REST endpoint.
-
RT 5.0 is vulnerable to information leakage via transaction searches made by
authenticated users in the transaction query builder. This vulnerability is
assigned CVE-2023-45024. Thanks to edk and bakerst of Libera Chat for reporting
this finding. -
RT 5.0 can reveal information about data on various RT objects in errors and
other response messages to REST 2 requests.
General user features
- Include "Create" transactions when checking if there are unread messages
- Support HasUnreadMessages and HasNoUnreadMessages criteria for ticket search
- Make simple search result refresh always function
- Support to download custom field attachments from SelfService
- Allow additional ticket relationship graph directions
- Add the missing Principals autocomplete URL for Self Service
- On the People page, list current user in "All Recipients" if it's a watcher
- Align existing attachment list
- Show direct members for charts grouped by watchers in perl calculation
- Add the same separator as ticket cfs for user cfs in Spreadsheet
- Exclude owner email address from one time Cc/Bcc inputs
- Require unique name for Conditions and Actions
- Enable the selectpicker class for multiselect cfs
- Don't highlight "RT for" as the active menu
- Show that a principal is disabled while editing people inline
- Fix empty updates sending emails with html signatures
- Remove mobile restrictions for CKEditor
- Get the Stylesheet of the called user object instead of its CurrentUser
- Tweak quoted selection content and quote it with blockquote for html
- Fix lifecycle new status removal
- Improve Lifecycle validation messages
- Allow to wrap for normal collection list headers
- Make search chart tables responsive
- Adjust EmailInput element to use the correct autocomplete helper
- Make Principals Helper compatible with EmailInput element
- Add a SelectedUser search placeholder and portlet to set it
- Do not disable inline edit after errors
- Fix Find Group portlet input size
- Fix Find Asset portlet input size
- Avoid adding duplicated prefixes like "Ticket ID: " on bulk update pages
- Use id prefix for core field update messages consistently
- Rebalance page menu when the entire page (not just DOM) is ready
- Return success when disabling a disabled record via REST 2
- On ticket update, update names in Cc/Bcc select boxes when
checking/unchecking one-time "All recipients" - On dashboard edit, drop height CSS rules for each section in source
selection boxes to prevent overlap
Documentation
- Add documentation for using rt-crontool with multiple --action parameters
- Fix formatting in docs for $DateTimeFormat config examples
- Document default Name setting in RT::User
- Provide examples for CanonicalizeEmailAddress match and replace
- Fix docs on RT::Queue::IsWatcher
- Fix the link to RT_Config's External-storage section in pod
- Custom Roles cannot apply globally; correct docs
- Fix typo in transaction-type argument in rt-crontool docs (thanks rob@lonap.net!)
- Fix "Reffered" typo in metadata doc (thanks nreiling!)
- Fix 'followoing' typo in docs (thanks nreiling!)
- Clarify usage of the $EmailSubjectTagRegex setting
- Fix ticket_metadata.pod: Incorrect documentation of parent/child (thanks nreiling!)
- Improve documentation for RT::Search modules
- Document MySQL 8 support (actual MySQL 8 support was added in RT 5.0.4)
- Document web deployment with apache+proxy_fcgi
- Remove trailing / from mailgate url examples
- Fix users -> uses typo in query builder docs
- Document the new SelectedUser search placeholder
- Remove duplicate REST 2 asset examples
- Document changes to some update messages
- Update NAME header in rt-munge-attachments POD (thanks andrew!)
Administration
- Remove state criteria for invalid utf8 error warnings to allow
the full-text indexer to continue to run - Improve template 'Error: public key'
- Don't error if users4 index has been removed
- Update required versions for GD::Graph and Date::Extract
- A client terminating a connection shouldn't kill a FCGI process (thanks andrew!)
- Add configuration option $AllowGroupAutocompleteForUnprivileged
- Allow selection of SSL providers with SMIME
- Add new page where admins can preview results of search modules
- Add RT::Interface::Web::ReportsRegistry package, allowing extensions to
add custom reports more easily - Index SortOrder of ObjectCustomFieldValues
- Re-work indexes on Links table
- Bump SearchBuilder to 1.77 to fix a possible sorting issue
- Add a dropdown with values for RedistributeAutoGeneratedMessages config
- Fill up CachedGroupMembers at the end of importer for performance
- Add --all to serializer to export all data with UIDs and not check dependencies
- Reload scrubber rules for current process that changes configs
- Create a local version of $RULES{img} to update it dynamically based on configs
- Tweak code logic to short-circuit config checks when img rules are pre-defined
- Update legacy timezones
- Add --limit-queues and --no-queues support for rt-dump-initialdata
- Support to dump and import CustomFieldDefaultValues attributes with cf name
- Add new Scrip Logging page
- In the Lifecycle editor, set on_create status only if it's absent
- Add expiration option for auth tokens
Internals
- Explicitly check rights when loading and deleting RT System saved
searches rather than catching with an error - Don't mark fields in JOIN conditions as limited
- Fix simple ticket search tests to make sure tickets are really found
- Don't default Name to EmailAddress in LoadOrCreateByEmail
- Many changes to improve automated testing via Github Actions
- Set MasonLocalComponentRoot via RT->Config->Set so apache can see it
- Encode content for textual "message/..." attachments to fix issues with
$TreatAttachedEmailAsFiles and some types of messages - Convert ticket link graph generator to GraphViz2
- Update tests for EN datetime locale change to space
- In sessions, pass datetime in UTC as LastUpdated is stored that way
- Switch to Test::MockTime::HiRes in date api test
- Drop obsolete apache and fastcgi test configs
- Limit ObjectType in articles custom field searches
- Disable buildkit in github tests to continue using the local network feature
- Update expired certificates and related tests
- Pass action to GetCurrentUser of email interface
- Tweak Serialize methods for REST2 where no serializer arg is passed
- Do not quote bind numbers for SQLite
- Add rt-clean-attributes to git ignored files
- Create a new object to avoid circular references that happen on RT::CurrentUser
- Fix memory leaks in recursive anonymous subroutines
- Add new utilities to Makefile.in (thanks firefart!)
- Support WebPath configuration when checking ResultPage
- Get query string from REQUEST_URI for correctness and also better performance
- Support to run tests with apache+proxy_fcgi
- Remove trailing artifacts before adding query part
- Check return value of CanonicalizePrincipal in case username/email is invalid
- Drop the useless /s as the regexes don't contain "."
- No need to check listen address if FCGI is managed by Server::Starter
- Wrap raw "do" SQL into eval to show more error details
- Reduce unnecessary Load calls after creation for performance
- No need to convert ascii strings
- Support to create principals in batch beforehand
- Tweak UID generation code and also cache user UID for performance
- Skip rights checks for serializer/importer
- Cache various objects for records
- Skip rights check on ACE access for system user
- Skip rights check on Attachment access for system user
- Avoid duplicates of postponed id resolution
- Add batch mode to importer for data serialized with --clone or --all
- Serialize/Import subscriptions correctly
- Serialize/Import bookmarks correctly
- Filter class rights before adding to IN clause
- Allow to set columns to their default value or NULL
- No need to explicitly set SubjectTag as it's NULL by default
- Convert empty strings to NULL for Category of CustomFieldValues
- Pass $message to the ModifyContent callback
- Remove unused local variable that is very misleading
- Don't generate $args ...
rt-4.4.7
RT 4.4.7 -- 2023-10-19
RT 4.4.7 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, there are several important
security updates provided in this release. See below for details.
https://download.bestpractical.com/pub/rt/release/rt-4.4.7.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.7.tar.gz.asc
SHA-256 sums
47af1651d5df3f25b6374ff6c1da71c66202d61919d9431c17259fa3df69ae59 rt-4.4.7.tar.gz
01a7707d44c60ce8faece9fe6cb6411c87578137c7e88da7a87c9f29620b5795 rt-4.4.7.tar.gz.asc
Security
The following security issues are fixed in this release. Thanks to
Tom Wolters of Chapter8 and the National Cyber Security Centre in
The Netherlands for reporting these findings.
-
RT is vulnerable to accepting unvalidated RT email headers in
incoming email and the mail-gateway REST interface. This vulnerability
is assigned CVE-2023-41259. -
RT is vulnerable to information leakage via response messages returned
from requests sent via the mail-gateway REST interface. This vulnerability
is assigned CVE-2023-41260.
Note that in addition to upgrading to this new version, access to the mail-gateway
REST endpoint can, and in most cases should, be restricted to only the RT
server itself (localhost). This access restriction can typically be applied
in the web server running with your RT (Apache or other). This configuration
is more clearly documented as part of this release and we recommend all RT
admins review your web server configuration and consider restricting access
to this mail-gateway REST endpoint.
General user features
- Include "Create" transactions when checking if there are unread messages
- Support HasUnreadMessages and HasNoUnreadMessages criteria for ticket search
- Make simple search result refresh always function
- Support to download custom field attachments from SelfService
- Allow additional ticket relationship graph directions
- Add the missing Principals autocomplete URL for Self Service
- On the People page, list current user in "All Recipients" if it's a watcher
Administration
- Remove state criteria for invalid utf8 error warnings to allow
the full-text indexer to continue to run - Improve template 'Error: public key'
- Don't error if users4 index has been removed
- Update required versions for GD::Graph and Date::Extract
- Make RT work with MySQL 8
- Update DBIx::SearchBuilder to 1.69 to work with MySQL 8
- A client terminating a connection shouldn't kill a FCGI process (thanks andrew!)
- Add configuration option $AllowGroupAutocompleteForUnprivileged
- Allow selection of SSL providers with SMIME
- Add new page where admins can preview results of search modules
Documentation
- Add documentation for using rt-crontool with multiple --action parameters
- Fix formatting in docs for $DateTimeFormat config examples
- Document default Name setting in RT::User
- Provide examples for CanonicalizeEmailAddress match and replace
- Fix docs on RT::Queue::IsWatcher
- Fix the link to RT_Config's External-storage section in pod
- Custom Roles cannot apply globally; correct docs
- Fix typo in transaction-type argument in rt-crontool docs (thanks rob@lonap.net!)
- Fix "Reffered" typo in metadata doc (thanks nreiling!)
- Fix 'followoing' typo in docs (thanks nreiling!)
- Clarify usage of the $EmailSubjectTagRegex setting
- Fix ticket_metadata.pod: Incorrect documentation of parent/child (thanks nreiling!)
- Improve documentation for RT::Search modules
- Document restricting access to the mail-gateway REST endpoint
Internals
- Explicitly check rights when loading and deleting RT System saved
searches rather than catching with an error - Don't mark fields in JOIN conditions as limited
- Fix simple ticket search tests to make sure tickets are really found
- Don't default Name to EmailAddress in LoadOrCreateByEmail
- Many changes to improve automated testing via Github Actions
- Set MasonLocalComponentRoot via RT->Config->Set so apache can see it
- Encode content for textual "message/..." attachments to fix issues with
$TreatAttachedEmailAsFiles and some types of messages - Convert ticket link graph generator to GraphViz2
- Update tests for EN datetime locale change to space
- In sessions, pass datetime in UTC as LastUpdated is stored that way
- Switch to Test::MockTime::HiRes in date api test
- Drop obsolete apache and fastcgi test configs
- Limit ObjectType in articles custom field searches
- Disable buildkit in github tests to continue using the local network feature
- Update expired certificates and related tests
- Don't return ticket details in REST mail-gateway return messages
- Sanitize incoming RT email headers
A complete changelog is available from git by running:
git log rt-4.4.6..rt-4.4.7
or visiting
rt-4.4.6...rt-4.4.7
rt-5.0.4
RT 5.0.4 -- 2023-05-04
RT 5.0.4 is now available for general use. The list of changes
included with this release is below.
May the Fourth be with you!
https://download.bestpractical.com/pub/rt/release/rt-5.0.4.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.4.tar.gz.asc
SHA-256 sums
916d870d22d92027f843798be6f880aaf1517aebc3f6ab25f456f4e772f4834d rt-5.0.4.tar.gz
191436164473423796c7b34cfe4cc8891d2fd1db8bef5584d34f50083bd3396e rt-5.0.4.tar.gz.asc
Security
- jQuery UI is updated to version 1.13.2, which addresses a security issue in
earlier jQuery UI (CVE-2022-31160). This issue does not impact RT directly
as RT does not currently use the impacted code.
General user features
- Split the select of watcher criteria in query builder; with a single
select, this list would grow too long - Display entry hint in people section of ticket display page
- Add missing css rules to buttons to improve UI consistency
- Increase search field column width, mainly for role fields
- Include custom roles in the core watcher search criteria
- Hide asset menu search if simple search is disabled
- Fix multiple mt-* classes that are applied at the same time to fix
display bugs - Retain Class and ObjectType when query parsing contains errors;
prevents query parsing actions in transaction search from reverting
to ticket search - Clear floating elements from correspondence
- Show custom field diffs in transaction history
- Fix bug that caused HTML custom fields to show 'text/html' as value
- Move user custom fields on "Settings > About me"" page to make better
use of space - Fix the menu drift when clicking on repositioned submenus caused by
screen width overflow - Fix issue where a submenu could flash out when clicking a submenu
option (specifically, in Chrome-based browsers) - Fix runtime error in SelfService Asset Display (I#37377)
- Improve Reports/Update This Menu CSS styling
- Improve 'Error: public key' template to avoid confusion for new
installs (I#37360) - Show RT support email address in the RemoteAuth error page
- Show RT support email address on PSGI/database error page
- Block ticket creation/update when there's invalid recipients
- Disable browser spell check for custom code box (thanks Christian
Mehlmauer!) - Make Actions page menu scrollable in case it's too long to fit on
screen - Allow CKEditor (rich text) boxes to vary in height based on
context/usage - Fix bug preventing the toggling/display of initially rolled-up widgets
- Allow unchecking of "Suppress if empty" checkbox for dashboard
subscriptions - Load more history for unread messages with on scroll setting so new
messages can be accessed via the "Jump to Unread" button - Exclude favion.png from generated dashboard email
- Add extra css to dashboard emails to improve display for some
email web clients (such as Gmail and Outlook) - Fix Ticket/Create.html's display of Links block
- Refactor Edit Links to fix bug in page display
- Exclude asset custom roles from ticket search
- Fix custom role's name in the result message when adding members
- Add support for custom roles in asset searches
- Improve performance of one-time email lookup
- Improve page layout by dropping an extra form-row wrapper
(LabeledValue already has one) - Fix layout of ticket graph page
- Add back missing current-value span to fix alignment of rows in asset
widget of ticket page - Re-add the missing Creator row for article display
- Revert LabeledValue changes to role inputs
- Make article autocomplete case insensitive
- Force EmailAddress to be the default return value for EmailInput
- Prettify "Show ticket history" by making it look like a button
- Add multiple order by and order indicators in search results header
- Make autocomplete work in dynamically created modal popup
- Support to pass user name as default value for owner input
autocomplete - Allow to show empty option even when default value is present;
allows current Priority filter to show while allowing user to unset it - Allow users to filter ticket search results via headers
- Allow text but not icons to wrap in search header (in Firefox)
- Provide default 'select all' for some search terms; prevents erroneous
"error parsing your search query" messages (I#36902) - Reset queue-level default values on queue change on ticket create
page; previously, defaults didn't change even if another queue was
selected (I#37242) - Show end users a message if a SQL error occurs
- Update search results to use Bootstrap/modern pagination styles
- Add box to jump to search results page
- Add UI for custom field validation hints
- Improve color and spacing for custom field FriendlyPattern UI
- Target keyboard shortcuts accurately for search result modal popups
- Fix combobox controls to not clear user inputs on dropdown click
- Format auth token list with a title box
- Removed extra space between Cc and Bcc in the ticket update cc Element
- Handle implicit form submissions in search filter modals (i.e., act
as if the "Apply" button was clicked) - Fix broken search input formatting on "Manage GnuPG Keys" page
- Always show a Logout link in the menu
- Make number of search results per-page configurable
- Add information about search preferences
- Remove extra space from titleboxes in query builder's Sort and Display
Columns boxes - Prevent main navigation from overlapping with custom logo
- Make pie/bar in js charts clickable again for saved searches
- Automatically enable live search for selects that have 10 or more
options - Force to use light theme for dashboard emails; prevents broken
display of dashboard emails in email clients that try to automatically
apply your system's dark/light theme to emails - In query builder, show a solid funnel next to header column if that
column is a filter in the search - Add "unknown" default priority option to priority select list; shows
if a ticket's priority is unknown or no longer valid - Make search filter modal popups scrollable (in case of long content)
- In query builder, increase queue limit to 100 in search filter (as
the modal is now scrollable) - Add URL shortening of search URLs
- Add shortener support to saved searches
- Shorten subqueries on chart page
- Fix bug that adds duplicated criteria to queries generated on chart
page - Reduce whitespace between the continuous descriptive paragraphs
- When commenting or corresponding, only quote text from transaction
areas in the ticket history - Remove unnecessary spacing in layout of user custom fields in
SelfService Prefs - Fix label typo for asset description
- Fix bug that could prevent live-search in select widgets (Safari and
Firefox) - Improve UI consistency by wrapping textarea/attachment inputs in a
form-row - Remove extra vertical space of select inputs to be consistent with
other inputs - Use consistent space among input rows for ticket forms
- Replace fontawesome funnel icon with bootstrap version
- Drop the obsolete fontawesome filter icon
- Removed extra space between Cc and Bcc in the ticket update cc Element
- Update data-live-search attr for bootstrap select before initialization
- Show customized operator/value inputs for cfs on admin user search page
- Support to wrap textarea/attachment inputs into a form-row for space settings
- Remove extra vertical space of selectized inputs to be consistent with other inputs
- Use consistent space among input rows for ticket forms
- Use HTML content for articles by default
- Format article HTML content correctly when EscapeHTML is disabled
- Add extra newlines to make boundaries of different article fields clear
- Clarify usage of the $EmailSubjectTagRegex setting
- Adapt formatting for mixed HTML and plain text quoting in Outlook message
- Display key details for text/calendar messages (meeting invitations)
- Various improvements for search filter controls
- Limit dropdown size in owner search filter modal
- Convert some search icons to inline svg for easier styling
- Drop the duplicated div.value in EditTopics
- Hide tooltips everywhere on click
Web Administration
- Allow default custom field values for group, user, and article objects
- Add custom roles to assets
- Add lookup type to custom role admin page listing
- Make comment and signature boxes half-page width, not full page width
- Add SameSite to cookies from WebSameSiteCookies, helping to protect
from CSRF attacks ($WebSameSiteCookies in RT config) - Update default value for WebSecureCookie so cookies are secure by
default - Support sending test dashboard emails on dashboard subscription page
- Record ACL changes in transactions
- Show a default entry hint based on the type of validation for custom
field admin pages - Fix display of plugin arguments on Shredder page
- Update Scrips modify page to line up "Applies to" with the other
values - Remove unnecessary current-value span for rows not in forms
- Use LabledValue to generate current-value spans
- Add search functionality for config edit page
- Add configuration option to disable quoting of selected text on
ticket update - Fix lifecycle editor warning messages: "actions" is the key name,
not "action" - In lifecycle editor, show objects where the lifecycle is applied
- Add Shortener page (Admin > Tools > Shortener Viewer) to show content
of specified shortener code - Create optional article portlet for ticket display page
- Hide article portlet if current user does not right to see the article
- Add a Checkbox RenderType for select type custom fields
- Scrub permissively for non-ticket related custom field values
- Add %ScrubCustomFieldOnSave config to scrub custom field values on save
Server Administration
- RT now supports MySQL 8
- Upgrade jquery-ui t...
rt-5.0.3
RT 5.0.3 -- 2022-07-13
RT 5.0.3 is now available for general use. The list of changes
included with this release is below. In addition to the new features
and bug fixes listed below, this release contains security fixes.
https://download.bestpractical.com/pub/rt/release/rt-5.0.3.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.3.tar.gz.asc
SHA-256 sums
e23aee3cb291ccad5e521aeabe0fcd2f076bcfa8b7f801af498a7505e53d8441 rt-5.0.3.tar.gz
6cfc32a9bf2d09768a5ac2b103f21d6675dfc3490c06190562296e5b2082ccce rt-5.0.3.tar.gz.asc
Security
The following security issues are fixed in this release. Thanks to the
Polish Financial Supervision Authority IT Security Department (UKNF)
for reporting the first two issues below.
-
RT is vulnerable to cross-site scripting (XSS) when displaying
attachment content with fraudulent content types. This vulnerability
is assigned CVE-2022-25802. -
RT 5.0 is vulnerable to unvalidated, or open, redirects in ticket
searches. This vulnerability is assigned CVE-2022-25803. -
RT did not perform full rights checks on accesses to file or image type
custom fields, possibly allowing access to these custom fields by users
without rights to access to the associated objects (like the ticket it
is associated with).
As an additional security note, RT 5.0.3 also updates jQuery to
version 3.6.0 and that includes a security fix (CVE-2020-11022).
General user features
- Add a message and link to the new GnuPG key trust admin page
- Update user admin menu to just Keys
- Convert datetime cf values to user timezone on ticket clone
- Search Name/Summary case insensitively for SelfService article search
- Group custom field values by category
- Fix the bug that transaction cfs can not be saved on queue default values page
- Check email of custom role members on ticket create
- Improve checking of CustomFieldValue SortOrder
- Improve "not a unique value" error messages to show more hints
- Validate "unique values" custom fields correctly on web create
- Improve recognition of urlified subject tags
- Support different custom field groupings at category level
- Only use col-2/10 layout for transaction custom fields
- Cache CustomDateRanges in ColumnMap for performance
- Add response/comment css class after CKEditor is fully loaded in dark mode
- Default to not render old appearance of EntryHint for MultiUserRoleInput
- Add tooltip for custom role inputs on search bulk page
- Respect $Name argument in SelectDashboard
- Support to specify attribute name of system default dashboard, mainly for RTIR
- Don't trigger inline edit if user clicks links, buttons or their children
- Strip leading/trailing spaces from Group name automatically on create/update
- Support custom roles by name on ticket update
- Switch to link button for "Close" in modal of "Grant Dashboard Rights"
- Support to customize global MyRT configuration page
- Remove unneeded padding on ticket update
- Try harder to not only wrap help tooltip in labels
- Allow deleting RT addresses from roles
- Remove extra closing element on custom role admin page
- Migrate plain checkboxes to bootstrap's custom-checkbox for consistency
- Show correct tooltips with multiple charts
- Verify PGP signatures on the original decrypted content
- Do not try to decrypt PGP public keys
- Don't warn if mixed newlines are found in decrypted GPG content
- Refresh status for Category select box on custom field edit page
- Remove duplicate my reminders portlet from default dashboard
- Notify user when unable to include an article
- Add configurable search for Include Article
- Allow DefualtCatalog to be unset in Web Interface
- Center values on custom field edit page
- Add the HTML CustomField type
- Allow HTML signatures
- Allow browser spellchecker to work in CKEditor windows
- Fix improper HTML tag nesting in EditDates
- Bypass selectize's client filter by showing all search results
- Change display from block to inline for create elements
- In the Theme editor, restore "try" behavior to the Try button rather
than saving changes
Administration
- Upgrade jQuery to 3.6.0
- Upgrade jQuery UI to 1.13.0
- Upgrade bootstrap to 4.6.1
- Upgrade bootstrap select to 1.13.18
- Add --no-auto-commit option for rt-importer
- Add Article and Asset counts to RT Size
- Add index on ObjectCustomFields.ObjectId
- In rt-shredder CLI tool, make setting sqldump actually work (thanks, grifferz!)
- Suppress warnings with rt-fulltext-indexer --quiet
- Exit success if rt-fulltext-indexer is running
- Add --log support in RT::Interface::CLI
- Explicitly set SSL_verify_mode in mailgate
- In rt-importer, put all dependencies of current object to the head of stack
to reduce memory usage - Support to sync Disabled field for groups in LDAP import
- When shredding users, only replace fields that match the to-be-wiped user
- Replace obsolete AC_HELP_STRING with supported AS_HELP_STRING
- Removed unused Revision macro
- RT 3 is EOL so no one should be configuring an rt3 group
- RT 4 and later do not support modperl 1, remove the option
- Reduce memory usage for rt-importer
- Suppress incorrect attachment warning when session attachments exist
- Set the UserAssetExtraInfo widget for display on web config page
- Register "Show Details" toggle handler only once for each button in scroll mode
- Remove modperl1 feature from cpanfile
Documentation
- Document the "quiet" option of rt-importer
- Update docs for rt-fulltext-indexer --quiet
- Add docs on mason cache fix
- Fix incorrect internal doc link
- Fix typo in %CustomFieldGroupings config doc
- Document the "Disabled" field mapping for ldap-import
- Add example of adding dot for module installs
- Fix bracket in InitialdataFormatHandlers documentation
- Update recommendation for where to unpack source
- Document the GnuPG key in the %GnuPG configuration in RT::Crypt::GnuPG
- Document how to listen on IPv6 for rt-server
- Fix tls example in ExternalAuth LDAP docs
- Document how to use capath and cafile with LDAP
- Document UserAssetExtraInfo
- Document bind parameter improvements
- Add REST2 interface to docs
Internals
- Reduce code duplication of checking formats of CustomFieldGroupings
- Update cf groupings tests for code duplication cleanup
- Failing tests for lifecycles without SeeQueue
- Walk around ACLs when working with lifecycles to avoid incorrect use
of the default lifecycle - Update tests as now user could modify status without SeeQueue
- Update the removed call of RT::Ticket::DueAsString in docs
- Remove obsolete "error" and "warning" methods in rt-fulltext-indexer
- Add test setting select CF to a value not in values list
- Support to canonicalize select values
- Validate cf values in advance before really adding them
- Set values for select CFs used in tests
- Add CF values on user create
- Drop the harmful extra canonicalization code as HasEntry canonicalizes too
- Test datetime cfs edits on ticket clone and edit pages
- Update tests for the default order change of custom field values
- Update EmailAddress index to case insensitive for Pg
- Test queue default values page
- Store mason cache created time in mason interpreter
- Clear callback cache too when mason cache is cleared
- Use mason's remove_object_files instead of implementing it ourselves
- Test "Clear Mason Cache" functionality
- Test user/group Disabled field in LDAP import
- In shredder, avoid duplicated single member group resolvers
- Add multiple db connection tests mainly for Oracle
- In dashboards, pass user object to ShowUser* elements
- Test shredder for user that owns multiple tickets
- Abstract methods to get/set/reset current interface and use them accordingly
- Add tests for current interface
- Update tests for the new canonicalized format of CustomFieldGroupings
- Add tests for queue level cf groupings
- Move query-builder related tests to its own test file
- Test validation of "unique values" custom fields on web UI
- Refactor custom field loop code to make it happy on perl prior to 5.22
- Optionally load RT::Authen::ExternalAuth in case Net::LDAP is not installed
- Make sure to not redirect for logout direct response tests
- In CF grouping, return record class in scalar context for backward compatibility,
specifically with RTIR - Correctly handle custom field groupings on queue default values page
- Test custom field groupings on queue default values page
- Make RT happy with perl 5.36
- Encapsulate inline Perl in <%perl> block
- Add callbacks to allow customization of AuthTokens page
- Use bind variables in DBIx::SearchBuilder by default
- Update tests to force BuildSelectQuery to not use bind values
- Refactor bare select queries to use bind values
- Give Pg a hint about the data type of the argument
- Bump DBIx::SearchBuilder to 1.71 to use bind parameters for searches
- Remove duplicated tests
- Drop old REST2 code that's for RT4
- Fix server fatal error for invalid cookie logins in REST2
- Add tests for custom roles on ticket update
- Use a loose regex to cover all DefaultDashboard attributes
- Load queue object in GetDefaultQueue to make sure it's valid and visible
- Add tests for DefaultQueue config rights check
- Abstract "Return to Search Results" and "Hide unset fields" to DropdownMenu
- Separate "collapse" and passed in bodyclass for widget body
- Update tests because of the space removal between label text and help icon
- Test the deletion of RT addresses from ticket roles
- Do not use bind variables in intermediate subqueries
- Add chart tests for queries with JOINs
- Update the EXPORTED version in configure script
- Test GnuPG encrypted+signed+pubkey emails composed by Thunderbird
- Ignore HotList column for RT::Class on importing
- Don't flag of properly deleted attributes in rt-validator
- Add RT::A...
rt-4.4.6
RT 4.4.6 -- 2022-07-13
RT 4.4.6 is now available for general use. The list of changes
included with this release is below. In addition to the new features
and bug fixes listed below, this release contains security fixes.
https://download.bestpractical.com/pub/rt/release/rt-4.4.6.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.6.tar.gz.asc
SHA-256 sums
1eff5bd9e556b5d6682ccd0e5b2f3dcc2c49a9ec4e215dadb90c4caf5e435e9e rt-4.4.6.tar.gz
f93cefaa0c4d5047118168aa2212752fe4e5906d8696bcf8fc287a2345b53a71 rt-4.4.6.tar.gz.asc
Security
The following security issues are fixed in this release. Thanks to the
Polish Financial Supervision Authority IT Security Department (UKNF)
for reporting the issue below.
-
RT is vulnerable to cross-site scripting (XSS) when displaying attachment
content with fraudulent content types. This vulnerability is assigned
CVE-2022-25802. -
RT did not perform full rights checks on accesses to file or image type
custom fields, possibly allowing access to these custom fields by users
without rights to access to the associated objects (like the ticket it
is associated with).
General user features
- Add a message and link to the new GnuPG key trust admin page
- Update user admin menu to just Keys
- Convert datetime cf values to user timezone on ticket clone
- Search Name/Summary case insensitively for SelfService article search
- Group custom field values by category
- Fix the bug that transaction cfs can not be saved on queue default values page
- Check email of custom role members on ticket create
- Improve checking of CustomFieldValue SortOrder
- Improve "not a unique value" error messages to show more hints
- Validate "unique values" custom fields correctly on web create
- Improve recognition of urlified subject tags
- Support different custom field groupings at category level
Administration
- Add --no-auto-commit option for rt-importer
- Add Article and Asset counts to RT Size
- Add index on ObjectCustomFields.ObjectId
- In rt-shredder CLI tool, make setting sqldump actually work (thanks, grifferz!)
- Suppress warnings with rt-fulltext-indexer --quiet
- Exit success if rt-fulltext-indexer is running
- Add --log support in RT::Interface::CLI
- Explicitly set SSL_verify_mode in mailgate
- In rt-importer, put all dependencies of current object to the head of stack
to reduce memory usage - Support to sync Disabled field for groups in LDAP import
- When shredding users, only replace fields that match the to-be-wiped user
- Replace obsolete AC_HELP_STRING with supported AS_HELP_STRING
- Removed unused Revision macro
- RT 3 is EOL so no one should be configuring an rt3 group
- RT 4 and later do not support modperl 1, remove the option
Documentation
- Document the "quiet" option of rt-importer
- Update docs for rt-fulltext-indexer --quiet
- Add docs on mason cache fix
- Fix incorrect internal doc link
- Fix typo in %CustomFieldGroupings config doc
- Document the "Disabled" field mapping for ldap-import
Internals
- Reduce code duplication of checking formats of CustomFieldGroupings
- Update cf groupings tests for code duplication cleanup
- Failing tests for lifecycles without SeeQueue
- Walk around ACLs when working with lifecycles to avoid incorrect use
of the default lifecycle - Update tests as now user could modify status without SeeQueue
- Update the removed call of RT::Ticket::DueAsString in docs
- Remove obsolete "error" and "warning" methods in rt-fulltext-indexer
- Add test setting select CF to a value not in values list
- Support to canonicalize select values
- Validate cf values in advance before really adding them
- Set values for select CFs used in tests
- Add CF values on user create
- Drop the harmful extra canonicalization code as HasEntry canonicalizes too
- Test datetime cfs edits on ticket clone and edit pages
- Update tests for the default order change of custom field values
- Update EmailAddress index to case insensitive for Pg
- Test queue default values page
- Store mason cache created time in mason interpreter
- Clear callback cache too when mason cache is cleared
- Use mason's remove_object_files instead of implementing it ourselves
- Test "Clear Mason Cache" functionality
- Test user/group Disabled field in LDAP import
- In shredder, avoid duplicated single member group resolvers
- Add multiple db connection tests mainly for Oracle
- In dashboards, pass user object to ShowUser* elements
- Test shredder for user that owns multiple tickets
- Abstract methods to get/set/reset current interface and use them accordingly
- Add tests for current interface
- Update tests for the new canonicalized format of CustomFieldGroupings
- Add tests for queue level cf groupings
- Move query-builder related tests to its own test file
- Test validation of "unique values" custom fields on web UI
- Refactor custom field loop code to make it happy on perl prior to 5.22
- Optionally load RT::Authen::ExternalAuth in case Net::LDAP is not installed
- Make sure to not redirect for logout direct response tests
- In CF grouping, return record class in scalar context for backward compatibility,
specifically with RTIR - Correctly handle custom field groupings on queue default values page
- Test custom field groupings on queue default values page
- Make RT happy with perl 5.36
- Prevent warnings when updating image links in rendered HTML
A complete changelog is available from git by running:
git log rt-4.4.5..rt-4.4.6
or visiting
rt-4.4.5...rt-4.4.6
rt-5.0.2
RT 5.0.2 -- 2021-09-14
We're pleased to announce the general availability of RT 5.0.2.
The list of changes included with this release is below. In addition
to a large number of updates and fixes, there are two security updates
provided in this release.
https://download.bestpractical.com/pub/rt/release/rt-5.0.2.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.2.tar.gz.asc
SHA-256 sums
df915ae809277564d9b8a7192ced2517cf6bed6c0301786b69562c0ea9dd9e86 rt-5.0.2.tar.gz
ec462189a90728dcb76fd38a2e55a6c8bbb21f6f7c8fc4907e2cd0f2dcde005c rt-5.0.2.tar.gz.asc
Security
-
In previous versions, RT's native login system is vulnerable to user enumeration
through a timing side-channel attack. This means an external entity could try to
find valid usernames by attempting logins and comparing the time to evaluate each
login attempt for valid and invalid usernames. This vulnerability does not allow any
access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
in this release. -
RT uses the chart.js package and the previous version has vulnerabilities
described here: https://snyk.io/test/npm/chart.js/2.8.0 This RT release updates
chart.js to version 2.9.4 as recommended in that advisory.
General features and fixes
- Update Starts on SLA changes even if Starts was already set
- Accept usernames for email input fields on ticket create/update
- Support group:NAME and group:ID in non-single role input fields
- Create an autocompleter for Principals (works with both users and groups)
- Support more characters for user/group names in non-single role input fields
- Normalize and validate time inputs
- Support to generate different dashboard content for each recipient
- Use user timezone for date "=" queries in ticket search
- Add "Create Via Email" and "Create Via Web" conditions
- Fix table wrapping error in Ticket/Update.html
- Don't escape queue name in title generation stage as it'll be escaped later
- Allow to squelch recipients that also exist in one time inputs
- Show all valid statuses on Asset bulk update page
- In the datepicker, reset the time part after date input is cleared
- Support columns as values in ticket search (ticket values on right-hand side in searches)
- Support a friendly syntax for custom field columns as values in ticket search
- Allow to specify CF Content/LargeContent columns in the keyword part of SQL
- Support role searches like Owner = CF.cid or Owner = Creator
- Improve UI of unread messages notification
- Sync one time inputs back to checkboxes on ticket update page
- Automatically load more txns to fill browser window on scroll history mode
- Fix duplicated closing tag for attachment delete links
- Remove search string including numbers in ticket autocomplete search on select
- Fix RecentlyViewedTickets to deal with shredded/merged tickets
- Fix bug that kept 11 tickets in the "recently visited" list instead of 10
- Show dependencies (like dashboards) and confirm before deleting saved searches
- Fill up cells of record's last row in search results
- Add support of "Lifecycle =" and "Queue LIKE" to GetReferencedQueues for more search options
- Support copying saved charts like searches
- Fix wrongly duplicated one-time addresses on ticket update page
- Add various missing ColumnMap entries
- Fix error when removing multiple holders of an asset
- Add basic stacked bar chart support
- Remove extra closing div on Login/Logout pages
- Add option to disable ticket linking in articles by class
- Add entry hint as custom field tooltip
- Disable submit on enter when input's autocomplete list shows up
- Support quoted custom fields as values
- Exclude end time when limiting txn date to a day
- Trigger UpdateCc/UpdateBcc input change only once when clicking "All recipients"
- Sync one-time checkboxes to text inputs in a consistent way
- Translate selfservice articles search button (thanks, elacour!)
- Support shallow searches for ticket roles
- Support to search user defined group names in watcher limit
- Support order by watcher's custom fields for ticket search
- Support more watcher fields including user cfs in search result format
- Add more watcher fields including user cfs to OrderBy/Columns in search builder
- Upgrade OrderBy "Owner" to new version "Owner.Name" in saved searchs
- Create a standard RT Time Worked report
- Add grouping by custom roles for ticket search charts
- Reduce space used by Current search on Query Builder to avoid saved search overlap
- Group by direct members of role groups for ticket search charts
- Use Name as the default watcher field in search results
- Allow clearing roles on bulk updates page
- Remove unexpected leading spaces in user signature input
- Add label text to old-attach form for accessibility
- Add the missing "form-control" class to autocomplete cf inputs in query builder
- Fix EditSearches title after submission on Query Builder page
- Let article summary take the whole width in article list
- Pass all request arguments to /SelfService/Open.html
- Disable inline edit for related tickets in "Assets" widget of ticket display
- Transactions on History.html page should link to transaction display page
- Clear "Add Columns" select after change on Query Builder
- Translate selfservice articles search button
- Render a label for both cases when displaying shredder objects,
making checkbox available to select objects to shred - Align label/value columns for Assets widget in ticket display
- Use checkbox class for multi select list input
- Remove blue background on dropdown-item active
- Explicitly exclude "deleted" status from queue list portlet
- Require Name field when creating or editing Article
- Add QueueListAllStatuses portlet to show tickets info of all statuses
- In Self Service, don't explicitly call PageLayout as it's included already
- Remove extra closing div on Login/Logout pages
- Use 2/10 col layout for custom fields only in transaction display
- Use an independent col for each asset custom field grouping
- Add the missing from-control css class for queue autocomplete input
- Move asset field-specific css classes up to the row instead of just label
- Add autocomplete for assets input
- Don't change background color on click of dropdown items
- Load user-level search preferences for ticket searches only, fixing errors
with custom search formats and transaction search results - Add more ticket info to transaction display page
- Register the missing autocomplete handler for refreshed inline-edited row
- Add webpath to RelatedData href (thanks, jtlarson!)
- Update principal input labels to reference groups
- Always default to no value for select type CFs on bulk update
- Fix context quoting on ticket update with top-quoted signatures in rich text editor
- On the query builder, restore OR accidentally changed in bootstrap updates
Administration
- Generalize Owner logic in Shredder to any Single role group
- In shredder, remove SetWatcher rows in transaction history as well
- Add setting $AssetMultipleOwner to allow many owners on assets
- Default --libs-group value from "bin" to "root"
- Add --dry-run option to rt-crontool
- In validator, ensure tickets and queues have all of their default role groups, individually
- In validator, prompt to create missing default role groups
- Skip merged tickets in role groups validation
- Allow to create missing queue-level custom role groups when needed
- For external auth, support cf mappings like CF.foo and UserCF.foo
- Support array and code in attr_map of external auth
- Don't quote table names in shredder SQL output
- Avoid "Wide character in print" warnings when generating shredder SQL output
- Add QuoteWrapWidth option for text quoted during reply/comment
- Set the $AttachmentListCount config's default value to 5
- Clarify external auth logging when users are not found
- Fix removal of scrips when shredding queues
- Avoid errors in shredder when Organization has a hyphen
- Avoid errors in shredder when username has a hyphen
- Avoid errors in shredder when queue name have a hyphen
- Log number of records returned from LDAP search
- Support searching NULL(unset) values on user/group admin pages
- Only show hints for user CFs configured in external settings on create
- Fix removal of custom fields when shredding queues
- Add transaction records for dashboard/savedsearch changes
- For articles, do not encode HTML if skip Escape HTML option selected
- In rt-crontool, add reload-ticket option to refresh metadata before processing
- Avoid a known problem version of Mojo::DOM::CSS
- Update DBIx::SearchBuilder to 1.68 to avoid segfaults on MariaDB 10.2+
- Add parallel support for crontool
- Add Parallel::ForkManager to dependency for parallel crontool
- Log the object that exceeds DependenciesLimit in shredder
- Remove SetOwner rows in transaction history on user shred
- Add ExternalAuth to the exceptions for requiring a password
- Reset ObjectCustomField sort order when re-enabling a Custom Field
- Update ObjectCustomField sort order only if necessary on re-enable
- Pass SavedChartSearchId from chart portlet
- Skip rights check when setting default object custom field values
- Add support to clear mason cache via web interface
- Add LDAP email authentication to External Auth
- Don't shred subgroups' member relationships when shredding ticket role groups
- Provide a way to select privileged and unprivileged users in admin
- Remember IncludeSystemGroups value on page navigation
- Add statement-log option to render statement logs in CLI
- Support to set sort order of applied custom roles
- Show custom roles in correct order on queue watcher and ticket pages
- Add no-sqldump option to r...
rt-4.4.5
RT 4.4.5 -- 2021-09-14
We're pleased to announce the general availability of RT 4.4.5.
The list of changes included with this release is below. In addition
to a large number of updates and fixes, there is one security update
provided in this release.
https://download.bestpractical.com/pub/rt/release/rt-4.4.5.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.5.tar.gz.asc
SHA-256 sums
c3025d5fe5bf5479d07318652fa904f4940f5172801a2aae4e397779b519556e rt-4.4.5.tar.gz
a00b68c84b8285ee4a2d104ca8f70dc5e4ea478dfd1a5378bcf7369259e10ac0 rt-4.4.5.tar.gz.asc
Security
- In previous versions, RT's native login system is vulnerable to user enumeration
through a timing side-channel attack. This means an external entity could try to
find valid usernames by attempting logins and comparing the time to evaluate each
login attempt for valid and invalid usernames. This vulnerability does not allow any
access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
in this release.
General user features
- Update Starts on SLA changes even if Starts was already set
- Accept usernames for email input fields on ticket create/update
- Support group:NAME and group:ID in non-single role input fields
- Create an autocompleter for Principals (works with both users and groups)
- Support more characters for user/group names in non-single role input fields
- Normalize and validate time inputs
- Support to generate different dashboard content for each recipient
- Use user timezone for date "=" queries in ticket search
- Add "Create Via Email" and "Create Via Web" conditions
- Fix table wrapping error in Ticket/Update.html
- Don't escape queue name in title generation stage as it'll be escaped later
- Allow to squelch recipients that also exist in one time inputs
- Show all valid statuses on Asset bulk update page
- In the datepicker, reset the time part after date input is cleared
- Support columns as values in ticket search (ticket values on right-hand side in searches)
- Support a friendly syntax for custom field columns as values in ticket search
- Allow to specify CF Content/LargeContent columns in the keyword part of SQL
- Support role searches like Owner = CF.cid or Owner = Creator
- Improve UI of unread messages notification
- Sync one time inputs back to checkboxes on ticket update page
- Automatically load more txns to fill browser window on scroll history mode
- Fix duplicated closing tag for attachment delete links
- Remove search string including numbers in ticket autocomplete search on select
- Fix RecentlyViewedTickets to deal with shredded/merged tickets
- Fix bug that kept 11 tickets in the "recently visited" list instead of 10
- Show dependencies (like dashboards) and confirm before deleting saved searches
- Fill up cells of record's last row in search results
- Add support of "Lifecycle =" and "Queue LIKE" to GetReferencedQueues for more search options
- Support copying saved charts like searches
- Fix wrongly duplicated one-time addresses on ticket update page
- Add various missing ColumnMap entries
- Fix error when removing multiple holders of an asset
- Add basic stacked bar chart support
- Remove extra closing div on Login/Logout pages
- Add option to disable ticket linking in articles by class
- Add entry hint as custom field tooltip
- Disable submit on enter when input's autocomplete list shows up
- Support quoted custom fields as values
- Exclude end time when limiting txn date to a day
- Trigger UpdateCc/UpdateBcc input change only once when clicking "All recipients"
- Sync one-time checkboxes to text inputs in a consistent way
- Translate selfservice articles search button
- Support shallow searches for ticket roles
- Support to search user defined group names in watcher limit
- Support order by watcher's custom fields for ticket search
- Support more watcher fields including user cfs in search result format
- Add more watcher fields including user cfs to OrderBy/Columns in search builder
- Upgrade OrderBy "Owner" to new version "Owner.Name" in saved searchs
- Create a standard RT Time Worked report
- Add grouping by custom roles for ticket search charts
- Reduce space used by Current search on Query Builder to avoid saved search overlap
- Group by direct members of role groups for ticket search charts
- Use Name as the default watcher field in search results
- Allow clearing roles on bulk updates page
Administration
- Generalize Owner logic in Shredder to any Single role group
- In shredder, remove SetWatcher rows in transaction history as well
- Add setting $AssetMultipleOwner to allow many owners on assets
- Default --libs-group value from "bin" to "root"
- Add --dry-run option to rt-crontool
- In validator, ensure tickets and queues have all of their default role groups, individually
- In validator, prompt to create missing default role groups
- Skip merged tickets in role groups validation
- Allow to create missing queue-level custom role groups when needed
- For external auth, support cf mappings like CF.foo and UserCF.foo
- Support array and code in attr_map of external auth
- Don't quote table names in shredder SQL output
- Avoid "Wide character in print" warnings when generating shredder SQL output
- Add QuoteWrapWidth option for text quoted during reply/comment
- Set the $AttachmentListCount config's default value to 5
- Clarify external auth logging when users are not found
- Fix removal of scrips when shredding queues
- Avoid errors in shredder when Organization has a hyphen
- Avoid errors in shredder when username has a hyphen
- Avoid errors in shredder when queue name have a hyphen
- Log number of records returned from LDAP search
- Support searching NULL(unset) values on user/group admin pages
- Only show hints for user CFs configured in external settings on create
- Fix removal of custom fields when shredding queues
- Add transaction records for dashboard/savedsearch changes
- For articles, do not encode HTML if skip Escape HTML option selected
- In rt-crontool, add reload-ticket option to refresh metadata before processing
- Avoid a known problem version of Mojo::DOM::CSS
- Update DBIx::SearchBuilder to 1.68 to avoid segfaults on MariaDB 10.2+
- Add parallel support for crontool
- Add Parallel::ForkManager to dependency for parallel crontool
- Log the object that exceeds DependenciesLimit in shredder
- Remove SetOwner rows in transaction history on user shred
- Add ExternalAuth to the exceptions for requiring a password
- Reset ObjectCustomField sort order when re-enabling a Custom Field
- Update ObjectCustomField sort order only if necessary on re-enable
- Pass SavedChartSearchId from chart portlet
- Skip rights check when setting default object custom field values
- Add support to clear mason cache via web interface
- Add LDAP email authentication to External Auth
- Don't shred subgroups' member relationships when shredding ticket role groups
- Provide a way to select privileged and unprivileged users in admin
- Remember IncludeSystemGroups value on page navigation
- Add statement-log option to render statement logs in CLI
- Support to set sort order of applied custom roles
- Show custom roles in correct order on queue watcher and ticket pages
- Add no-sqldump option to rt-shredder to avoid generating backups
- Add paging support for group Members page
- Tweak css for page links to not overflow in Firefox
- Add $ShowSearchNavigation option to skip building search navigation links
- Add ability to search for disabled users
Email Encryption/Signing
- Support separate certificates for SMIME encryption and signing
- Add encryption and signing options for digest email
- Provide an option to skip GnuPG tests
- Handle encrypted outgoing emails in digest email
- Add OtherCertificatesToSend option for SMIME
- Set path to GnuPG binary in GnuPG::Interface constructor
- Fix uninitialized warnings of $latest_user_main_key for gpg 2.2
- Handle FAILURE keyword for gpg 2.2
- Add gpg.conf for gpg 2.2 so we can specify passphrase in command line
- Update warning message tests for gpg 2.2
- Don't override fingerprint if it exists already
- Make t/mail/crypt-gnupg.t pass with gpg 2.2
- Quit gpg-agent after tests for gpg 2.2
- Move signed_old_style_with_attachment.eml to emails directory
- Always use temp gpg homedir to get a cleaner env
- Add extra ignored keywords for gnupg 2.2.x
- Fix unit test to cope with variations in how different versions of OpenSSL print certificates
- Default cert-digest-algo from SHA1 to SHA256
- Bump GnuPG::Interface to 1.00 to support gpg 2.2
- Report the cert authority in an "assured by ..." clause
- Report the S/MIME signer correctly when there is no EmailAddress
- Fix a bug in the logic that suppresses the "email is unsigned" warning
- Add AgorithmName to info returned by ParseKeysInfo
- For GnuPG, add a tooltip with additional info about the signature
- Add ability to download GnuPG public keys
- Store and display additional info about S/MIME signatures
- Extract email addresses from S/MIME certificates as specified in RFC 5750
- Support SMIME certificate revocation using OCSP/CRL
- Add deprecation warnings to RT::Test::GnuPG and RT::Test::SMIME.
- Allow specification of outbound signing/encryption protocol on a per-queue basis
- In Admin/Users/Keys.html, do not call "UseForOutgoing" when we have no $Queue object
- Explain conversion of legacy list args to a hash in CheckRecipients
- Add RT::Attachment->CryptStatus method
- Fix error if a CA certificate does not define CRLDistributionPoints
- Keep entire GnuPG fingerprint; don't truncate to 8 characters
- Include S/MIME certificate serial number in tooltip
- Add ability to download S/MIME c...
rt-4.2.17
RT 4.2.17 -- 2021-09-14
RT 4.2.17 is now available. This is the last release in the
RT 4.2 series. Users should plan to upgrade soon to a supported
release of RT 4.4 or 5.0. The list of changes included with this
release is below.
This release also includes a security fix described below.
https://download.bestpractical.com/pub/rt/release/rt-4.2.17.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.17.tar.gz.asc
SHA-256 sums
177b7e004b90ec7faaac8e21e11b7bc33bd129aba2d512e4b011c37995f8480c rt-4.2.17.tar.gz
95215dd19b46c01303470b8681d27626d3cb6c88a50491d6d5a9c8c7072bebe3 rt-4.2.17.tar.gz.asc
Security:
- In previous versions, RT's native login system is vulnerable to user enumeration
through a timing side-channel attack. This means an external entity could try to
find valid usernames by attempting logins and comparing the time to evaluate each
login attempt for valid and invalid usernames. This vulnerability does not allow any
access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
in this release.
Updates:
- Remove search string including numbers in ticket autocomplete search on select
- Use the correct CurrentUserCanSetOwner return value.
- Find full path for processing acl files on upgrade
- Find full path for processing index files on upgrade
- Convert to abs path before executing initialdata files
- Remove extra closing div on Login/Logout pages
A complete changelog is available from git by running:
git log rt-4.2.16..rt-4.2.17
or visiting
rt-4.2.16...rt-4.2.17
rt-5.0.1
RT 5.0.1 -- 2021-01-29
We're pleased to announce the general availability RT 5.0.1.
The list of changes included with this release is below. This is
mostly a bugfix release but it also includes some additional
improvements that were not ready in time for the previous release.
https://download.bestpractical.com/pub/rt/release/rt-5.0.1.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.1.tar.gz.asc
SHA-256 sums
6c181cc592c48a2cba8b8df1d45fda0938d70f84ceeba1afc436f16a6090f556 rt-5.0.1.tar.gz
4b7a40a648e2e82575bcfa9d289b4b87129d3a437d0f0161666595cc8a373907 rt-5.0.1.tar.gz.asc
General Updates and Fixes
- Don't display a dropdown in transaction history header if it is empty
- Fix width/max-width for .width-md/.max-width-md
- Switch to the correct *width-lg for existing *width-md elements
- Add the OwnerNameEdit column as an option in the format dropdown in the query builder
- Fix alignment for ticket creation on the group summary page
- Fix radio/checkbox inputs for "click" panel behavior of inline edit
- Preserve message quoting levels when converting HTML to plain text on comment/reply
- In the lifecycle editor, confirm the actions config array value exists
- Fix dark theme pagenum background color overlap
- Fix dark theme action-private color in RichText editor
- Show group tickets on self service closed tickets page
- Restore Total Time Worked to previous position on Ticket Display page
- Search group itself for SelfService "My group's tickets"
- Fix the input name to delete group members on group admin page
- On date selectors, fix the wrongly quoted date input id
- Add RT::Extension::FormattedTransaction to core
- Update HTML in transaction display to remove table-based layout
- Set diff text style rules more specifically
- In ticket search results, don't generate inline editing HTML if inline edit is disabled
- Fix TimeUnits overlap for dark-theme
- Fix dropdown toggle for dark-theme
- Add ability to serve a custom dashboard as the SelfService home page
- Fix datepicker icons for dark-theme
- Add UI for editing and displaying the SortOrder associated with an article
- Fix colors for selectionbox for dark-theme
- Fix bootstrap tooltip colors for dark-theme
- Fix dropzone colors for dark-theme
- Fix EditConfig tab and active colors for dark-theme
- Fix a:visited color change for dark-theme
- Tweak error widget styles to improve display in elevator themes
- Widen input box in Find a user portlet on RT at a Glance
- Use ticket update page layout for "Update ticket" portlet on jumbo page
- Align "Time to display" in footer
- Fix upload file type custom fields in inline edit forms
- Add "CustomFieldView" column type for view-only custom field values in search results
- Fix an error loading the SavedSearches component on the RT at a glance page
- Center comment/reply messagebox on bulk update
- Replace cf hints with tooltips on bulk update
- Fix padding for custom field inputs on bulk update
- In lifecycle editor, update mapping form submission parsing to handle '-' in lifecycle name
- Add new article portlets to the available self service components
- Add Top and Newest Articles portlets for self service
- Add a Home menu item to self service to mirror regular RT
- Display article content in a titlebox container
- Reduce the min-width of self service article list
- Fix naming mismatch preventing system txn/asset/chart saved searches from being added to dashboards
- Order articles in SelfServiceTopArticles by SortOrder
- Fix col layout for transaction custom field values
- On approval ticket display, switch to div to not create illegal nested links
- Make pagination with many linked tickets in linked queue portlet work
- Fix overlap of wrapped long values in forms
- Remove extra, unmatched closing div on Login/Logout pages
- Handle multipart attached emails when TreatAttachedEmailAsFiles is enabled
REST2 API
- Add basic article/class endpoints to REST2
- Add REST2 support for fetching attachment details with selected fields
- Attachment content is now base64 encoded when returned
- Abstract code to process file uploads to avoid duplication for REST2
- In REST2, handle lazy-created custom role groups that don't exist
- Add support for merging tickets in REST2
- Support take/untake/steal for tickets in REST2
- Accept an array of link params on record create for linking multiple tickets
- Add support for updating record links
- Allow attachments to be added when a ticket is created (thanks gibus and puck!)
Administration
- On the RT Portal admin page, set parent height to make iframe take up the whole height
- On user admin page, fix user data link overlap for dark-theme
- 'use' REST2 in web handler as PSGIWrap needs it for the web installer
- Make GnuPG file extensions more easily configurable
- Add .gpg file extension support to RT::Crypt::GnuPG
- Bump DBD::Pg to 3.8.0+
- Allow updating a lifecycle from an invalid value to a valid option on queue admin pages
- Add ShowEditLifecycleConfig option to disable lifecycle admin pages
- Obfuscate passphrase in %SMIME, %GnuPG and %GnuPGOptions on system config page
- In the rt-munge-attachments utility, allow header and content munging to be disabled by flags
- Allow specifying of transactions for rt-munge-attachments to munge
- Make inputs wider on scrip create/modify pages
- Center content on scrip create/modify pages
- Add SelfServiceShowArticleSearch configuration option
- Display TreatAttachedEmailAsFiles as boolean in web UI
- Add option to disable password prompt when creating tokens
- Mark config items containing regexp immutable
- Use JSON format for array/hash items in system config edit web UI
- Find full path for processing acl files on upgrade to work with newer perls
Internals
- Refactor code so we can add history endpoints to new classes more easily
- Avoid permission check to get CF type in CustomFieldValueIsEmpty
- Avoid permission check to get CF CanonicalizeClass
- Confirm the queue default value in %ServiceAgreements is a hash before using it as one
- Extract PriorityAsString config mapping in a method
- Accept string priority values in SetPriority
- Convert to absolute path before executing initialdata files
- In lifecycle mappings, move 'MaybeRedirectForResults' code after mapping updates
- Cache custom field values in mason to improve performance of inline edit
- Allow class-level rights to show self service articles
- Switch to Obfuscate callback for $DatabasePassword/$LDAPPassword configs
- Remove special handling of password like core variables on configuration page
- Fix uninitialized warnings for empty nested dependency
- In ShowCustomFieldCustomGroupings, accept arg for inline edit form action URL
- Drop useless queue parameter in loc call that doesn't have placeholders
- Fall back to "RT::Ticket" item for extended classes in %InlineEditPanelBehavior
- Respect extra query params to build page menus for all search pages
- Check "ShowArticle" right beforehand to get accurate number of articles
Documentation
- Document new FileExtensions config option for GnuPG
- Add missing mapping to lifecycle docs example
- Update existing lifecycle docs screenshots
- Update screenshots in docs with 5.0 versions.
- Fix the image path for subscriptions in feeds doc
- Update README link to backups doc
- Add support for linking POD in subdirectories for README/UPGRADING docs
- Fix MimeType in REST2 doc example
- Move asset examples to their own section in docs
- Update lifecycle docs for lifecycle UI
- Fix asset search endpoint in doc examples
- Fix rt-setup-fulltext-index --dry-run flag docs
- Update instructions for lifecycle mapping page to mention assets
- Document steps to fix home pages with saved search errors
- Document time zone dependencies in MariaDB for charts
- Document switch to JSON instead of Perl for System Configuration editor
- Document the options for modifying links via REST2
- Add take, untake, steal endpoints to docs
- Add documentation for using attachments via REST2
Testing and Developer
- Don't clean gpg stuff if tests are skipped
- Skip gpg homedir creation if tests are going to be skipped
- Add REST2 tests for articles/classes
- Add callback for modifying the group query on self service tickets page
- Add tests to delete group members from web UI
- Add test for the formatted transaction output.
- Add callback to modify CSS files loaded in header
- Test setting lifecycle from an invalid value to default on queue admin page
- Test ticket custom field updates with names containing spaces in REST2
- Fix BeforeMessageBox callback location on Bulk Update page
- Make sure $user always exists to simplify Obfuscate callback a bit
- Test tickets with custom roles applied later
- Add tests for the lifecycle Mappings.html page
- Fix typo in lifecycle_mappings test
- Make admin_queue_lifecycle.t happy when RT_TEST_DEVEL is not enabled
- Update dashboard tests for the format change of system saved searches
- Add tests for system non-ticket saved searches in dashboards
- Add tests for system non-ticket saved searches in MyRT
- Update unit test for JSON entry of hashes/arrays rather than Perl
- Test ticket merge in REST2
- Test ticket steal/take/untake in REST2
- Add REST2 tests for ticket link updates
- Test custom field uploads on ticket create for REST2
- Skip "links" html formatter tests if it's actually "elinks"
- Add AfterQueueAddresses callback for queue admin page
A complete changelog is available from git by running:
git log rt-5.0.0..rt-5.0.1
or visiting
rt-5.0.0...rt-5.0.1